Hacking attack in Canada bears signs of Chinese army unit - expert

OTTAWA/TORONTO | By David Ljunggren and Alastair Sharp

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture.

Reuters/Kacper Pempel/Files

OTTAWA/TORONTO The recent hacking attempt on a sensitive Canadian government computer network is similar to attacks mounted by an elite unit of the Chinese army based in Shanghai, according to a cybersecurity expert.

Canada said on Tuesday "a highly sophisticated Chinese state-sponsored actor" had broken into the National Research Council, a leading body that works with major companies such as aircraft and train maker Bombardier Inc Beijing on Thursday accused Canada of making irresponsible accusations that lacked credible evidence.

While Canada did not give details of the attack, CrowdStrike Chief Technology Officer Dmitri Alperovitch said it was similar to other hacking campaigns launched by a unit of the People's Liberation Army that his company has nicknamed 'Putter Panda.' The group, Unit 61486, has thousands of people and conducts intelligence on satellite and aerospace industries, he said.

"It certainly looks like one of the actors we track out of China that we've seen going after aircraft manufacturers in the past," Alperovitch said. CrowdStrike is a California-based security technology company.

Ottawa's public complaint was the first time it had ever identified a suspect in a string of attacks on government and commercial computers.

A former Canadian cabinet minister, Stockwell Day, separately confirmed for the first time on Thursday that Chinese operators were suspected of hacking into the Finance Department and the Treasury Board, a body with overall responsibility for government spending, in 2011.

The Canadian government has never publicly said who it thought was behind the 2011 attacks. Day - who had some responsibility for cyber security when he was in office - said Ottawa suspected those responsible were Chinese.

"Canada, lacking reliable evidence, has wrongly censured China without any provocation, and this is an irresponsible action," ministry spokesman Qin Gang said, according to the ministry's website. "China resolutely opposes this."

WARNING SHOT

China is Canada's second most important trading partner after the United States, and bilateral trade is growing. Total Canada-China trade was C$69.8 billion in 2012 and $72.9 billion in 2013, according to official Canadian data.

Although Canada enjoys good relations with China, which it sees as a promising market for crude, the high-profile nature of the latest target, the NRC, may have made it impossible for Ottawa to keep quiet.

"By making it public, it's a warning shot across the bow, saying 'We treat this stuff very seriously'," said Gordon Houlden, a former Canadian diplomat who served for years in Beijing and who heads the University of Alberta's China Institute.

In May, the United States charged five Chinese military officers and accused them of hacking into American nuclear, metal and solar companies to steal trade secrets. The officers in that case worked for PLA Unit 61398.

"All the action on the part of the U.S. government has opened the flood gates for others to talk," Alperovitch said.

Canadian Prime Minister Stephen Harper's office did not respond to a request for comment. Officials from Foreign Minister John Baird's office declined to comment.

John McDougall, president of the National Research Council, told employees on a conference call on Tuesday that the hackers may have obtained client information and data.

"We know that any information held in our systems - including employees' personal information - may have been compromised," he said in the call, a recording of which was posted on CTV television's website.

The NRC is being forced to set up a new secure computer network which could take up to a year to build.

Day said the NRC network had links to up to 40 other systems.

"If you get inside those cyber walls you are inside the building," Day told Reuters, saying that once hackers had gained access they could "go down other corridors".

The Communications Security Establishment, which detected the attack, declined to give further details.

A spokesman said the agency was actively working with the NRC and other government partners "to assess and mitigate this cyber-intrusion event".

(Additional reporting by Mark Hosenball in Nwe York and Jim Finkle in Boston; Editing by Tiffany Wu)